mirrors/krata
1
0
Fork 0
mirror of https://github.com/edera-dev/krata.git synced 2025-08-03 05:10:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(security): pin docker images and improve actions permissions

Browse Source
This commit is contained in:
Alex Zenla 2024-07-16 14:57:40 -07:00
parent b57d95c610
commit 0e3ce8ce3c
No known key found for this signature in database
GPG Key ID: 067B238899B51269
11 changed files with 31 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/check.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
components: rustfmt components: rustfmt
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh

4
.github/workflows/client.yml vendored
View File

@ -35,9 +35,9 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
if: ${{ matrix.platform.os != 'darwin' }} if: ${{ matrix.platform.os != 'darwin' }}
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.platform.arch }}-apple-darwin" targets: "${{ matrix.platform.arch }}-apple-darwin"
if: ${{ matrix.platform.os == 'darwin' }} if: ${{ matrix.platform.os == 'darwin' }}

10
.github/workflows/nightly.yml vendored
View File

@ -5,8 +5,6 @@ on:
- cron: "0 10 * * *" - cron: "0 10 * * *"
permissions: permissions:
contents: read contents: read
packages: write
id-token: write
jobs: jobs:
server: server:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -26,7 +24,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
@ -84,9 +82,9 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
if: ${{ matrix.platform.os != 'darwin' }} if: ${{ matrix.platform.os != 'darwin' }}
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.platform.arch }}-apple-darwin" targets: "${{ matrix.platform.arch }}-apple-darwin"
if: ${{ matrix.platform.os == 'darwin' }} if: ${{ matrix.platform.os == 'darwin' }}
@ -115,6 +113,8 @@ jobs:
- kratanet - kratanet
- krata-guest-init - krata-guest-init
name: "oci build ${{ matrix.component }}" name: "oci build ${{ matrix.component }}"
permissions:
packages: write
steps: steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with: with:

2
.github/workflows/os.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh

17
.github/workflows/release-binaries.yml vendored
View File

@ -1,8 +1,4 @@
name: release-binaries name: release-binaries
permissions:
contents: write
packages: write
id-token: write
on: on:
release: release:
types: types:
@ -25,7 +21,9 @@ jobs:
- aarch64 - aarch64
env: env:
TARGET_ARCH: "${{ matrix.arch }}" TARGET_ARCH: "${{ matrix.arch }}"
name: release-binaries server ${{ matrix.arch }} name: "release-binaries server ${{ matrix.arch }}"
permissions:
contents: write
steps: steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with: with:
@ -33,7 +31,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
@ -68,6 +66,8 @@ jobs:
run: run:
shell: bash shell: bash
timeout-minutes: 60 timeout-minutes: 60
permissions:
contents: write
steps: steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with: with:
@ -75,7 +75,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
if: ${{ matrix.platform.os != 'darwin' }} if: ${{ matrix.platform.os != 'darwin' }}
- uses: dtolnay/rust-toolchain@stable - uses: dtolnay/rust-toolchain@stable
with: with:
@ -103,6 +103,9 @@ jobs:
- kratanet - kratanet
- krata-guest-init - krata-guest-init
name: "release-binaries oci ${{ matrix.component }}" name: "release-binaries oci ${{ matrix.component }}"
permissions:
contents: write
packages: write
steps: steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with: with:

8
.github/workflows/release-plz.yml vendored
View File

@ -1,7 +1,4 @@
name: release-plz name: release-plz
permissions:
pull-requests: write
contents: write
on: on:
push: push:
branches: branches:
@ -13,6 +10,9 @@ jobs:
release-plz: release-plz:
name: release-plz name: release-plz
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps: steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with: with:
@ -27,7 +27,7 @@ jobs:
submodules: recursive submodules: recursive
fetch-depth: 0 fetch-depth: 0
token: "${{ steps.generate-token.outputs.token }}" token: "${{ steps.generate-token.outputs.token }}"
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
- name: release-plz - name: release-plz
uses: MarcoIeni/release-plz-action@86afd21a7b114234aab55ba0005eed52f77d89e4 # v0.5.62 uses: MarcoIeni/release-plz-action@86afd21a7b114234aab55ba0005eed52f77d89e4 # v0.5.62

8
.github/workflows/server.yml vendored
View File

@ -25,7 +25,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
- run: ./hack/build/cargo.sh build - run: ./hack/build/cargo.sh build
test: test:
@ -45,7 +45,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
- run: ./hack/build/cargo.sh test - run: ./hack/build/cargo.sh test
clippy: clippy:
@ -65,7 +65,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
components: clippy components: clippy
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh
@ -87,7 +87,7 @@ jobs:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with: with:
submodules: recursive submodules: recursive
- uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable
with: with:
targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl" targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
- run: ./hack/ci/install-linux-deps.sh - run: ./hack/ci/install-linux-deps.sh

2
images/Dockerfile.krata-guest-init
View File

@ -1,4 +1,4 @@
FROM rust:1.79-alpine AS build FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
ENV TARGET_LIBC=musl TARGET_VENDOR=unknown ENV TARGET_LIBC=musl TARGET_VENDOR=unknown

2
images/Dockerfile.kratactl
View File

@ -1,4 +1,4 @@
FROM rust:1.79-alpine AS build FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
ENV TARGET_LIBC=musl TARGET_VENDOR=unknown ENV TARGET_LIBC=musl TARGET_VENDOR=unknown

2
images/Dockerfile.kratad
View File

@ -1,4 +1,4 @@
FROM rust:1.79-alpine AS build FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
ENV TARGET_LIBC=musl TARGET_VENDOR=unknown ENV TARGET_LIBC=musl TARGET_VENDOR=unknown

2
images/Dockerfile.kratanet
View File

@ -1,4 +1,4 @@
FROM rust:1.79-alpine AS build FROM rust:1.79-alpine@sha256:a454f49f2e15e233f829a0fd9a7cbdac64b6f38ec08aeac227595d4fc6eb6d4d AS build
RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/* RUN apk update && apk add protoc protobuf-dev build-base && rm -rf /var/cache/apk/*
ENV TARGET_LIBC=musl TARGET_VENDOR=unknown ENV TARGET_LIBC=musl TARGET_VENDOR=unknown